1. Administering Oracle Blockchain Platform
  2. User Management

5 User Management

Topics

Configure an Authentication Server

An LDAP server is included with Oracle Blockchain Platform Enterprise Edition or you can integrate your own authentication server.

Currently the following external authentication servers are supported:
  • OpenLDAP 2.4.44 or later
  • Oracle Internet Directory 12.2.1.4.0 or later
  • Oracle Unified Directory 12.2.1.4.0 or later
  • Microsoft Active Directory Windows Server 2016 or later with a single domain

Each instance within a Blockchain Platform Manager uses the same authentication server. You can create multiple Blockchain Platform Manager instances, and each one can use a different authentication server or share an authentication server.

Lifecycle of Identity Resources within Oracle Blockchain Platform

When you provision an instance through Blockchain Platform Manager, it deploys the embedded LDAP server (if you're not providing your own), and creates the LDAP groups OBP_<platform-name>_<instance-name>_xxxx.

When you delete an instance, Blockchain Platform Manager removes all the LDAP assets such as the LDAP groups from an LDAP server you have provided.

Configure the Built-In LDAP Server

The built-in LDAP server has a default configuration already set up when you log in. You can use it for testing, or modify the configuration to meet your needs.

  1. Open the Configuration tab.
  2. Click Add New.
  3. Enter the configuration information for the LDAP server:
    1. Configuration Name:
      Name must contain only ASCII alphanumerics and underscores.
    2. Authentication Server Type:
      Select OpenLDAP/OID.
    3. Host:
      Enter the fully-qualified host name of the directory server.
    4. Port:
      Enter the port number of the directory server.
    5. TLS Enabled:
      Setting this to True means you will connect to the directory server using a user name and password via SSL.
    6. Connect Timeout:
      In milliseconds.
    7. Base DN:
      Enter the base distinguished name of the directory you want to connect to. It should be in the form: ou=organizationunit,dc=mycompany,dc=com
    8. Root CA Certificate for Auth Server:
      If you're using a third-party TLS certificate or self-signed certificate, upload it in a .crt file.
    9. Bind User DN:
      The distinguished name of your administrative user account.
    10. Bind User Password:
      The password for the account.
    11. UserName Attribute:
      This is the filter used when searching to convert a login user name to a distinguished name.
    12. User Class Name:
      The attribute value to a user object in the directory.
    13. GroupName Attribute:
      This is the filter used when searching to convert a group name to a distinguished name.
    14. Group Membership Attribute:
      The membership attribute name of the group.
    15. Group Class Name:
      The ObjectClass attribute value for a group object in the directory.
  4. Click Test Configuration to ensure your settings work. The test results show if the configuration was successful.
  5. Click Save. Your configuration is now available to be used by any instances you provision.

Once you've selected your LDAP configuration by selecting it in the Active LDAP Configuration field, you need to log out of Blockchain Platform Manager with your administrative ID, and log in with a user ID that exists in the LDAP server as described in Add Users to Your LDAP Server Using a Script or Add Users to Your LDAP Server Using Blockchain Platform Manager.

Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin) for security reasons. This can be done from the Configuration page Platform Settings tab.

Add Users to Your LDAP Server Using a Script

Once you've configured your LDAP server in Blockchain Platform Manager, you need to add users to the LDAP server to create an instance.

The following steps describe how to add the initial user to the built-in LDAP server using a provided script:
  1. Log into the VM instance as a Unix user. The initial user name and password are oracle and Welcome1. You'll be prompted to change the password immediately.
  2. Change directories to /u01/blockchain/ldap/environment and run the adduser.sh script:
    1. cd /u01/blockchain/ldap/environment/
    2. ./adduser.sh user_name platform_name
      where platform_name is the Platform Manager Name set on the Configuration page Platform Settings tab of Blockchain Platform Manager.
    3. You will be prompted to enter a password for the new user, as well as a password for the administrator who will authenticate user and group addition requests.
    4. The script will add a new user to the group OBP_<platform name>_CP_ADMIN which will have administrative access to Blockchain Platform Manager in order to create and modify instances.

Ensure that you've logged out of Blockchain Platform Manager, and then log in using this user ID and password. You can now provision a Oracle Blockchain Platform instance.

Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin) for security reasons. This can be done from the Configuration page Platform Settings tab.

Add Users to Your LDAP Server Using Blockchain Platform Manager

Once you've configured your LDAP server in Blockchain Platform Manager, you need to add users to the LDAP server, and then log back into Blockchain Platform Manager with one of these users to create an instance.

Once you've create your LDAP configuration, you need to add your initial user to the LDAP server. On the Authentication Server Configuration page of Blockchain Platform Manager, click Add User. Once you've entered the user name and password, this user will be added to the LDAP server as an administrative user. You can now log out of Blockchain Platform Manager with your administrative ID, and log in with this user ID to create an instance.

Ensure that you've logged out of Blockchain Platform Manager, and then log in using this user ID and password. You can now provision a Oracle Blockchain Platform instance.

Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin) for security reasons. This can be done from the Configuration page Platform Settings tab.

Configure an External OpenLDAP, Oracle Unified Directory, or Oracle Internet Directory LDAP Server

If you don't want to use the LDAP server provided with the product, you must have installed your ownOpenLDAP, Oracle Unified Directory, or Oracle Internet Directory server 12.2.1.4.0 or later before completing this configuration step.

  • An external LDAP server should be installed for any production environment. It should be protected by TLS certificates - self-signed certificates should be used for internal testing only. If you are using self-signed certificates, complete these steps before configuring the LDAP server through Blockchain Platform Manager:
    1. Generate a root CA key/certificate pair.
    2. Generate a server key/certificate pair signed using the root CA pair.
  • When configuring the server in Blockchain Platform Manager you will need to upload the root CA certificate.
  • You can specify up to two backup directory servers, which are used if the primary server does not respond. If you specify backup directory servers, you must configure data replication yourself. Blockchain Platform Manager does not configure data replication between the primary directory server and the backup directory servers.
  1. Open the Configuration tab.
  2. Click Add New.
  3. Enter the configuration information for the LDAP server:
    1. Configuration Name:
      Name must contain only ASCII alphanumerics and underscores.
    2. Authentication Server Type:
      Select OpenLDAP/OID.
    3. Host:
      Enter the fully-qualified host name of the directory server.
    4. Backup OpenLDAP/OID Servers:
      Optional: Enter the fully-qualified host name of up to two backup directory servers. If Blockchain Platform Manager is unable to connect to the first backup it will attempt to connect to the second one automatically.
    5. Port:
      Enter the port number of the directory server.
    6. TLS Enabled:
      Setting this to True means you will connect to the directory server using a user name and password via SSL.
    7. Connect Timeout:
      In milliseconds.
    8. Base DN:
      Enter the base distinguished name of the directory you want to connect to. It should be in the form: ou=organizationunit,dc=mycompany,dc=com
    9. Root CA Certificate for Auth Server:
      If you're using a third-party TLS certificate or self-signed certificate, upload it in a .crt file.
    10. Bind User DN:
      The distinguished name of your administrative user account.
    11. Bind User Password:
      The password for the account.
    12. UserName Attribute:
      This is the filter used when searching to convert a login user name to a distinguished name.
    13. User Class Name:
      The attribute value to a user object in the directory.
    14. GroupName Attribute:
      This is the filter used when searching to convert a group name to a distinguished name.
    15. Group Membership Attribute:
      The membership attribute name of the group.
    16. Group Class Name:
      The ObjectClass attribute value for a group object in the directory.
  4. Click Test Configuration to ensure your settings work. The test results show if the configuration was successful.
  5. Click Save. Your configuration is now available to be used by any instances you provision. Click Set Active when you're ready to activate the configuration.

After you've selected your LDAP configuration by selecting it in the Authentication Servers field, you need to log out of Blockchain Platform Manager with your administrative ID, and log in with a user ID that exists in the LDAP server as described in Add Users to an External LDAP Server.

Add Users to an External LDAP Server

Once you've configured your LDAP server in Blockchain Platform Manager, you need to add users to the LDAP server to create an instance.

The following steps describe how to add the initial user to your separately-installed LDAP server:
  1. Create your administrative user if one doesn't already exist.
  2. Create the OBP_<platform name>_CP_ADMIN group if it doesn't exist.
  3. Add the user as a member of the OBP_<platform name>_CP_ADMIN group.

Ensure that you've logged out of Blockchain Platform Manager, and then log in using this user ID and password. You can now provision a Oracle Blockchain Platform instance.

Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin) for security reasons. This can be done from the Configuration page Platform Settings tab.

Configure an External Microsoft Active Directory Authentication Server

If you don't want to use the LDAP server provided with the product, you must have installed your own Microsoft Active Directory Windows Server 2016 or later with a single domain before completing this configuration step.

  • An external authentication server should be installed for any production environment. It should be protected by CA certificates - self-signed certificates should be used for internal testing only. If you are using self-signed certificates, complete these steps before configuring the authentication server through Blockchain Platform Manager:
    1. Generate a root CA key/certificate pair.
    2. Generate a server key/certificate pair signed using the root CA pair.
    When configuring the server in Blockchain Platform Manager you will need to upload the root CA certificate.

  • All necessary user groups should be created in Microsoft Active Directory before configuring it as the authentication server for Blockchain Platform. During the configuration process you will map these groups to pre-existing Blockchain Platform groups in order to control user access and capabilities. For a complete list of Blockchain Platform groups and their roles see: User Groups and Roles.

  1. Open the Configuration tab.
  2. Click Add New.
  3. Enter the configuration information for the authentication server:
    1. Configuration Name:
      Name must contain only ASCII alphanumerics and underscores.
    2. Authentication Server Type:
      Select Active Directory.
    3. Primary Domain Controller:
      Enter the domain controller for the Active Directory server.
    4. Backup Domain Controller:
      Optional: Enter the backup domain controllers for the Active Directory server. You can add a maximum of two. If Blockchain Platform Manager is unable to connect to the first backup it will attempt to connect to the second one automatically.
    5. Port:
      Enter the port number of the directory server.
    6. TLS Enabled:
      Setting this to True means you will connect to the directory server using a user name and password via SSL.
    7. Base DN:
      Enter the base distinguished name of the directory you want to connect to. It should be in the form: ou=organizationunit,dc=mycompany,dc=com
    8. Root CA Certificate for Auth Server:
      Upload the root CA certificate for the authorization server in a .crt file.
    9. User name:
      Enter the user name of your user account. Any user account with read-capability is sufficient.
    10. Password:
      The password for the account.
    11. UserName Attribute:
      This is the filter used when searching to convert a login user name to a distinguished name.
    12. User Class Name:
      The attribute value to a user object in the directory.
    13. GroupName Attribute:
      This is the filter used when searching to convert a group name to a distinguished name.
    14. Group Membership Attribute:
      The membership attribute name of the group.
    15. Group Class Name:
      The ObjectClass attribute value for a group object in the directory.
  4. Map your Active Directory group names to the Blockchain Platform groups that control user access and function:
    1. Blockchain Platform Manager Users
    2. CA Administrators
    3. REST Proxy Client Users
    4. Blockchain Instance Admins
    5. Blockchain Instance Users
    All groups must be created in Microsoft Active Directory before you configure it as your authentication server. See User Groups and Roles for a detailed description of each group.
  5. Click Test Configuration to ensure your settings work. The test results show if the configuration was successful.
  6. Click Save. Your configuration is now available to be used by any instances you provision.

After you've selected your authentication server configuration by selecting it in the Authentication Servers field, you need to log out of Blockchain Platform Manager with your administrative ID, and log in with a user ID that exists in Active Directory with membership in the Blockchain Platform Manager Users group.

User Groups and Roles

This overview describes the groups and roles that are relevant to Oracle Blockchain Platform. Anyone who uses or administers Oracle Blockchain Platform must be added to the authentication server and granted the correct group.

Groups

Below are the group roles that are available for Oracle Blockchain Platform.

User Role LDAP Group Name in LDAP/Oracle Internet Directory/Oracle Unified Directory Microsoft Active Directory Group Name Description
Application OBP_<platform-name>_<instance-name> Not applicable

Security identifier for an individual instance.
Control Plane management OBP_<platform-name>_CP_ADMIN Blockchain Platform Manager Users

User can provision a new Oracle Blockchain Platform instance, configure existing instances, set the LDAP configuration, and perform life cycle operations on Oracle Blockchain Platform instances.

A user must be a member of this group to be able to log in to the Blockchain Platform Manager or create an instance.
CA Administrator OBP_<platform-name>_<instance-name>_CA_ADMIN CA Administrators

The CA Admin group is the bootstrap and overall administrator for the Oracle Blockchain Platform application. Users must be part of this group to create an instance.

Instance Administrator OBP_<platform-name>_<instance-name>_ADMIN Blockchain Instance Admins

Users in this group can manage instances via the console UI or REST. Users must be part of this group to create an instance.

See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role.

Instance User OBP_<platform-name>_<instance-name>_USER Blockchain Instance Users

Users in this group can view instance via console UI or REST

See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role.

REST Proxy Client OBP_<platform-name>_<instance-name>_REST Rest Proxy Client Users Users in this group can call REST proxy to execute transactions using the default enrollment.

Access Control List for Console Function by User Roles

The following table lists which console features are available to the Instance Administrator and Instance User roles.

Feature Instance Administrator Instance User

Dashboard

Yes

Yes

Network: list orgs

Yes

Yes

Network: add orgs

Yes

No

Network: Ordering service setting

Yes

No

Network: Export certificates

Yes

No

Network: Export orderer settings

Yes

Yes

Node: list

Yes

Yes

Node: start/stop/restart

Yes

No

Node: view attributes

Yes

Yes

Node: edit attributes

Yes

No

Node: view metrics

Yes

Yes

Node: Export/Import Peers

Yes

No

Peer Node: list channels

Yes

Yes

Peer Node: join channel

Yes

No

Peer Node: list chaincode

Yes

Yes

Channel: list

Yes

Yes

Channel: create

Yes

No

Channel: add org to channel

Yes

No

Channel: Update ordering service settings

Yes

No

Channel: view/query ledger

Yes

Yes

Channel: list instantiated chaincode

Yes

Yes

Channel: list joined peers

Yes

Yes

Channel: set anchor peer

Yes

No

Channel: upgrade chaincode

Yes

No

Chaincode: list

Yes

Yes

Chaincode: install

Yes

No

Chaincode: instantiate

Yes

No

Sample chaincode: install

Yes

No

Sample chaincode: instantiate

Yes

No

Sample chaincode: invoke

Yes

Yes

CRL

Yes

No